Data protection guidance for Electoral Registration Officers and Returning Officers

Requirements of a Data Protection Impact Assessment (DPIA)

Data protection legislation does not specify a particular process to be followed when undertaking a DPIA. However, it does set out minimum required features:

  • a description of the proposed processing and the purposes – in relation to anonymous registration, this should include:
    • what the personal data is
    • who will have access 
    • how it will be stored
    • who it will be disclosed to
  • an assessment of the necessity and proportionality of the processing – in most cases for an ERO or RO this will be processing for the performance of a public task
  • an assessment of the risks to the rights of the individuals affected
  • the measures envisaged to address the risks and demonstrate compliance with data protection rules 
    • for example, the measures you put in place to keep the identity of anonymous electors secure

A single DPIA may be undertaken where a set of similar processing operations present similar high risks.

The ICO has provided guidance on DPIAs on their website which includes examples of good practice.

You should:

  • keep any DPIAs you have in place under review to determine if your processing operations require any further DPIA to be undertaken
  • consider how you can ensure data protection is integral to all of your processing 
  • ensure that all your training – whether for canvassers, polling station staff, or your electoral services team – reflect data protection requirements. This will help you to embed the data protection principles in your work and demonstrate compliance  
  • ensure you discuss any data protection training with your council’s Data Protection Officer/Information Officer
Last updated: 22 February 2023